US11675916B2ActiveUtilityA1

Method and system for limiting data accessibility in composed systems

50
Assignee: DELL PRODUCTS LPPriority: Jan 28, 2021Filed: Jan 28, 2021Granted: Jun 13, 2023
Est. expiryJan 28, 2041(~14.6 yrs left)· nominal 20-yr term from priority
G06F 21/52G06F 2221/033G06F 21/62H04L 63/102
50
PatentIndex Score
0
Cited by
123
References
20
Claims

Abstract

A system for managing composed information handling systems to manage access to data by applications hosted by the composed information handling systems includes a system control processor that instantiates a composed information handling system using a compute resource set that hosts applications and a hardware resource set that stores a portion of the data, associates, using authorization information, storage areas of the at least one hardware resource set with the applications to obtain storage area associations, obtains a data access request from the compute resource set for the portion of the data which is stored in a storage area of the storage areas, makes a determination, based on the storage area associations and an initiator of the data access request, that the initiator of the data access request is not authorized to access the portion of the data, and refuses to service the data access request.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A system for managing composed information handling systems to manage access to data by applications hosted by the composed information handling systems, comprising:
 a storage for storing authorization information; and 
 a system control processor manager programmed to:
 instantiate a composed information handling system of the composed information handling systems using an at least one compute resource set that hosts at least one of the applications and at least one hardware resource set that stores a portion of the data; 
 associate, using the authorization information, storage areas of the at least one hardware resource set with the applications to obtain storage area associations; 
 obtain a data access request from the at least one compute resource set for the portion of the data which is stored in a storage area of the storage areas; 
 make a determination, based on the storage area associations and an initiator of the data access request, that the initiator of the data access request is not authorized to access the portion of the data; 
 refuse, based on the determination, to service the data access request; 
 identify a monitoring trigger event associated with monitoring modifications to the initiator, wherein the monitoring trigger event is the refusal to service the data access request; 
 in response to identifying the monitoring trigger event, make a second determination that the initiator was unknowingly modified; and 
 perform a remediation action set based on the second determination. 
 
 
     
     
       2. The system of  claim 1 , wherein the storage area associations specify that the initiator is not associated with the storage area. 
     
     
       3. The system of  claim 2 , wherein the initiator of the data access request is an application of the at least one of the applications. 
     
     
       4. The system of  claim 1 , wherein the data access request indicates an identity of the initiator and the storage area. 
     
     
       5. The system of  claim 1 , wherein instantiating a composed information handling system of the composed information handling systems using a compute resource set that executes at least one of the applications and a hardware resource set that stores a portion of the data comprises preparing at least one control resource set to provide management services for the at least one compute resource set and the at least one hardware resource set. 
     
     
       6. The system of  claim 5 , wherein the at least one control resource set comprises a system control processor. 
     
     
       7. The system of  claim 6 , wherein the management services comprise:
 intercepting data access requests from the at least one compute resource set by presenting the hardware resource set as bare metal resources; and 
 monitoring the applications to identify potentially compromised applications based on the intercepted data access requests and monitoring trigger events. 
 
     
     
       8. A method for managing composed information handling systems to manage access to data by applications hosted by the composed information handling systems, comprises:
 instantiating a composed information handling system of the composed information handling systems using an at least one compute resource set that executes hosts at least one of the applications and an at least one hardware resource set that stores a portion of the data; 
 associating, using authorization information, different storage areas of the at least one hardware resource set with the applications to obtain storage area associations; 
 obtaining a data access request from the at least one compute resource set for the portion of the data which is stored in a storage area of the storage areas; 
 making a determination, based on the storage area associations and an initiator of the data access request, that the initiator of the data access request is not authorized to access the portion of the data; 
 refusing, based on the determination, to service the data access request; 
 identifying a monitoring trigger event associated with monitoring modifications to the initiator, wherein the monitoring trigger event is the refusal to service the data access request; 
 in response to identifying the monitoring trigger event, making a second determination that the initiator was unknowingly modified; and 
 performing a remediation action set based on the second determination. 
 
     
     
       9. The method of  claim 8 , wherein the storage area associations specify that the initiator is not associated with the storage area. 
     
     
       10. The method of  claim 9 , wherein the initiator of the data access request is an application of the at least one of the applications. 
     
     
       11. The method of  claim 8 , wherein the data access request indicates an identity of the initiator and the storage area. 
     
     
       12. The method of  claim 8 , wherein instantiating a composed information handling system of the composed information handling systems using a compute resource set that executes at least one of the applications and a hardware resource set that stores a portion of the data comprises preparing at least one control resource set to provide management services for the at least one compute resource set and the at least one hardware resource set. 
     
     
       13. The method of  claim 12 , wherein the at least one control resource set comprises a system control processor. 
     
     
       14. The method of  claim 13 , wherein the management services comprise:
 intercepting data access requests from the at least one compute resource set by presenting the hardware resource set as bare metal resources; and 
 monitoring the applications to identify potentially compromised applications based on the intercepted data access requests and monitoring trigger events. 
 
     
     
       15. A non-transitory computer readable medium comprising computer readable program code, which when executed by a computer processor enables the computer processor to perform a method for managing composed information handling systems to manage access to data by applications hosted by the composed information handling systems, the method comprising:
 instantiating a composed information handling system of the composed information handling systems using an at least one compute resource set that executes hosts at least one of the applications and an at least one hardware resource set that stores a portion of the data; 
 associating, using authorization information, different storage areas of the at least one hardware resource set with the applications to obtain storage area associations; 
 obtaining a data access request from the at least one compute resource set for the portion of the data which is stored in a storage area of the storage areas; 
 making a determination, based on the storage area associations and an initiator of the data access request, that the initiator of the data access request is not authorized to access the portion of the data; 
 refusing, based on the determination, to service the data access request; 
 identifying a monitoring trigger event associated with monitoring modifications to the initiator, wherein the monitoring trigger event is the refusal to service the data access request; 
 in response to identifying the monitoring trigger event, making a second determination that the initiator was unknowingly modified; and 
 performing a remediation action set based on the second determination. 
 
     
     
       16. The non-transitory computer readable medium of  claim 15 , wherein the storage area associations specify that the initiator is not associated with the storage area. 
     
     
       17. The non-transitory computer readable medium of  claim 16 , wherein the initiator of the data access request is an application of the at least one of the applications. 
     
     
       18. The non-transitory computer readable medium of  claim 15 , wherein the data access request indicates an identity of the initiator and the storage area. 
     
     
       19. The non-transitory computer readable medium of  claim 15 , wherein instantiating a composed information handling system of the composed information handling systems using a compute resource set that executes at least one of the applications and a hardware resource set that stores a portion of the data comprises preparing at least one control resource set to provide management services for the at least one compute resource set and the at least one hardware resource set. 
     
     
       20. The non-transitory computer readable medium of  claim 19 , wherein the at least one control resource set comprises a system control processor.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.